DNS网域教育训练电子讲义.ppt

1、NCTU/TWNIC DNS Tutorial,1,DNS/BIND 系統管理基礎班/進階班適用,主辦單位: 財團法人台灣網路資訊中心 承辦單位: 國立交通大學 協辦單位: 中華電信訓練所, 國立中興大學, 高雄縣教育網路中心. 教材編撰: 交通大學,TWNIC 委辦 DNS 教育訓練課程,NCTU/TWNIC DNS Tutorial,2,課程大綱 (Outline),綱要 Part 1 - 基礎篇 (Basics of DNS) Part 2 - BIND/named 簡介 (Introduction to BIND/named) Part 3 - 偵測工具程式 (DNS debuggin

2、g tools) Part 4 - DNS 常見問題 (FAQ) Part 5 - DNS 網路系統進階規劃 Part 6 - 個案研究 (Case Study) 附錄 (Appendix) 其他相關課題 課程綱要分類 初級班 Part 1, 2, 3, 4 + 上機 進階班 Part 3, 4, 5, 6 + 上機,NCTU/TWNIC DNS Tutorial,3,Part 1 - DNS 系統簡介,基本系統運作 分散式系統架構 DNS 流量統計 (MRTG/Netflow) DNS 與網路安全 DNS 與 SPAM Mail 防治 其他相關課題 DNS反解設定與 Network Dela

3、y/performance 中文 DNS,NCTU/TWNIC DNS Tutorial,4,DNS Basics,What is DNS ? DNS 基本運作法則 (圖示) DNS registration Canonical Name) proxy.XYZ.edu.tw - wproxy1.XYZ.edu.tw Others,NCTU/TWNIC DNS Tutorial,9,com, org,net,cn,kr,vn.,tw,gov, mil,Arpa,in-addr,INT,IP6,root servers,140,org,gov,mil,edu,NCTU,com,net,hc,hch

4、s,www,cis,hgsh,ncku,203,www,. .,127,cc,ns1,ccserv2,113,6,250,2,114,ee,bbs,.,.,nehs,ccserv2.cc.NCTU.edu.tw ,.,mail,192,. . .,NSAP,.,Hierarchical Architecture of current DNS System,NCTU/TWNIC DNS Tutorial,10,Special DNS servers,root DNS servers (totally 13) a.root-, b.root-, m.root- For the

5、 512-byte limitation, no more than a list of 13 DNS servers could be filled in a DNS UDP packet, even with encoding. Generic Top-level domain (gTLD) servers e.g. com, net, org, net, etc. Country-code Top-level domain (ccTLD) servers (e.g. cn, kr, jp, tw, us, vn, etc.),NCTU/TWNIC DNS Tutorial,11,ccTL

6、D country code top-level domain,Ac/ Edu,Co/ Com,Or/ Org,ccSLD Naming Convention in DNS,3-character convention: com, edu, org,.etc Tw, us, . 2-character convention: co, ac, or, Uk, jp, ,ccSLD = country-code Second Level Domain,NCTU/TWNIC DNS Tutorial,12,Separation of registries and registrars,New Tre

7、nd in DNS Any organization or company should be allowed to perform only one kind of the following two businesses. Registry : organization for accepting the registration of domain zones from registrars ( e.g. TWNIC, APNIC, InterNIC, etc.) Registrar : organizations or companies that do DNS registratio

8、ns for other customers (e.g. ISP ),NCTU/TWNIC DNS Tutorial,13,DNS/IP-related Organizations,IP assignment and DNS registrations Global- regional - country-level DNS/IP Related Organizations ICANN (The Internet Corporation for Assigned Names and Numbers ) IANA ( Internet Assigned Number Authority ) In

9、terNIC, APNIC, RIPE_NCC, . KRNIC, TWNIC, VNNIC, . Multilingual Internet Names Consortium ,NCTU/TWNIC DNS Tutorial,14,台灣地區 IP 分配管理與 .tw 網域註冊 - .tw,NCTU/TWNIC DNS Tutorial,15,Ordinary DNS queries,Internet,Local DNS server,Remote DNS Forwarding Server,WINS/DNS queries,Indirect mode,Di

10、rect mode,DNS server,DNS Operation Principle,NCTU/TWNIC DNS Tutorial,16,Typical DNS Management Issues,NCTU/TWNIC DNS Tutorial,17,Basic functions/attributes of DNS servers,Authoritative (master, slave) SOA, NS Caching (recursive) vs. iterative (non-caching) Time-To-Live (TTL; valid time for caching)

11、DNS Cache vs. Web Cache positive caching vs. negative caching Forwarding Total vs. selective forwarding NetBIOS (port-137) to DNS (port-53) forwarding DNS forwarder,NCTU/TWNIC DNS Tutorial,18,Generic System Configuration Issues,Load sharing/balancing ( DNS, Mail, ) 提昇整體網路及系統效能 (global internetworkin

12、g ) Backup system ( DNS, Mail,) high availability/reliability Relaying System ( DNS, Mail , WWW ) 類似同義詞 : proxy, forwarding Caching ( DNS, www proxy, ftp mirror),NCTU/TWNIC DNS Tutorial,19,Query/Response Messages iterative query/referral vs. recursive query inverse query vs reverse pointer query rou

13、nd-robin vs. load balancing Round-trip time ( DNS query ) Examples,DNS query/response,NCTU/TWNIC DNS Tutorial,20,一般 DNS 查詢,Q: .tw R: 28 Dl: local DNS server Dr: remote DNS server,,Dr,1(Q),4(R),2(Q),3(R),D1,1,23,NCTU/TWNIC DNS Tutorial,21,DNS Cache Mechanis

14、m- Cf. Web caching mechanism,The Cache Operation Principle TTL rfc 1535) DNS Dynamic Updates (v8,9; RFC 2136). DNS Change Notification (v8,9; RFC 1996). Flexible, categorized logging system (v8,9). IP-address-based access control for queries, zone transfers Allow-query (v8,9), Allow-recursion (v9 on

15、ly), Allow-transfer (v8,9) updates that may be specified on a zone-by-zone basis.,NCTU/TWNIC DNS Tutorial,42,New Name Daemon Control program ndc (v8), rndc (v9) CIDR-like Classless delegation More efficient zone transfers no fork() on outbound! (v8). Improved performance for servers wit

16、h thousands of zones. incremental zone transfer IXFR ( v8,9; rfc 1995 ) New DNS RR (rfc 1183) RP, AFSDB, ISDN, X25, RT LOC (rfc 1876), SRV (rfc 2052) Secure Zone, DNSSEC (v9) Many bug fixes, including patches for all known security holes.,Important BIND Features (v4 - v8 - v9) 2,NCTU/TWNIC DNS Tutor

17、ial,43,BIND Server Configuration,Server Configuration file /etc/named.boot (v4) /etc/named.conf (V8,9) named-bootconf.pl ( v4-v8, Automatic translation program) Zone data files Forward type domain source file or host ;- directory /var/named ; cache . named.root ; primary localhost Localhost primary

18、0.0.127.IN-ADDR.ARPA Rev-127.0 ; deleted primary XYZ.edu.tw Zone.XYZ secondary ADM.XYZ.edu.tw Zone.ADM primary CC.XYZ.edu.tw Zone.CC ;deleted . primary 168.192.IN-ADDR.ARPA R-192.168 primary 1.168.192.. R-192.168.1 secondary 2.168.192.. R-192.118.2,NCT

19、U/TWNIC DNS Tutorial,45,DNS Server configuration (template) - /etc/named.conf (v8, v9),/ Access Control list Block acl “L1 ; acl “L2” .; /-Logging block- logging . ; /- controls ; key rndc_key .; /- options .; /- zone . type hint; file named.root; ; zone localhost type master; file Localhost” ;,NCTU

20、/TWNIC DNS Tutorial,46,DNS Server Options - /etc/named.conf (v8, v9),options directory /var/named; pid-file named.pid; forwarders some-ip-address; ; ; zone . type hint; file named.root; ; / root hint file zone localhost type master; file Localhost” ; zone 0.0.127.IN-ADDR.ARPA type master; file Rev-1

21、27.0; zone HC.edu.tw type slave; file sec/zone-HC.edu.tw; masters 35; ; ; zone 237.126.140.IN-ADDR.ARPA type slave; file sec/R-140.126.237; masters 35; ;,NCTU/TWNIC DNS Tutorial,47,Special Symbols on DNS database,Special Symbols for defining the DNS database “”, current ori

22、gin “*”, wildcard ( only for some of the types ) “ . ” , root domain - “345”,NCTU/TWNIC DNS Tutorial,48,What are the valid characters in a hostname?,Hostnames can contain letters, numbers, and hyphens, and may not start with a hyphen. Underscore (_) is not a valid character in a hostname. While ther

23、e are some DNS server software packages available that allow underscore within published host names, most do not. Using a domain or host name with an underscore will cause most name servers on the Internet to stop recognizing the related host/IP address.,NCTU/TWNIC DNS Tutorial,49,BIND ( Berkeley In

24、ternet Name Domain ),Standalone Daemon ( named ) UDP/TCP port 53 UDP query/response ( 512 bytes) + zone transfer DNS message format Question/Answer section Authority section Additional section,NCTU/TWNIC DNS Tutorial,50,DIG output,ns1% dig .tw ns ; DiG 2.2 .tw ns ; res option

25、s: init recurs defnam dnsrch ; got answer: ; -HEADER- opcode: QUERY, status: NOERROR, id: 6 ; flags: qr rd ra; Ques: 1, Ans: 2, Auth: 0, Addit: 2 ; QUESTIONS: ; .tw, type = NS, class = IN ; ANSWERS: .tw. 86400 NS .tw. .tw. 86400 NS cissol1.cis.

26、.tw. ; ADDITIONAL RECORDS: .tw. 86400 A .tw. 86400 A 01 ; Total query time: 8 msec ; FROM: ns1 to SERVER: default - ; WHEN: Wed Sep 17 11:44:04 1997 ; MSG SIZE sent: 33 rcvd: 109,NCTU/TWNIC DNS Tutorial,51,BIND 8 Hi

27、ghlights- from BIND8 document,DNS Dynamic Updates (RFC 2136) DNS Change Notification (RFC 1996) Completely new configuration syntax Flexible, categorized logging system IP-address-based access control for queries, zone transfers, and updates that may be specified on a zone-by-zone basis More efficie

28、nt zone transfers Improved performance for servers with thousands of zones The server no longer forks for outbound zone transfers Many bug fixes,NCTU/TWNIC DNS Tutorial,52,BIND8 configuration file,A BIND 8 configuration consists of statements and comments. Statements end with a semicolon. Many state

29、ments contain a block of sub-statements, which are also terminated with a semicolon. The BIND 8 comment syntax allows for comments to appear anywhere that white space may appear in a BIND configuration file. To appeal to programmers of all kinds, they can be written in C, C+, or shell/perl construct

30、s. C (/* */), CC (/), Shell ( # ),NCTU/TWNIC DNS Tutorial,53,BIND8 statements (1),The following statements are supported: acl defines a named IP address matching list, for access control and other uses include includes a file key specifies key information for use in authentication and authorization

31、logging specifies what the server logs, and where the log messages are sent,NCTU/TWNIC DNS Tutorial,54,BIND8 statements (2),options controls global server configuration options and sets defaults for other statements controls declares control channels to be used by the ndc utility server sets certain

32、 configuration options on a per-server basis trusted-keys defines DNSSEC keys that are pre-configured into the server and implicitly trusted zone defines a zone The logging and options statements may only occur once per configuration.,NCTU/TWNIC DNS Tutorial,55,What is BIND 9?,A complete rewrite of

33、the nameserver, library and tools. Includes support for the newer DNS protocol extensions and types. “Its in there” RFC 1035 conformance For the first time in BINDs 17 year history,NCTU/TWNIC DNS Tutorial,56,Design Goals of BINDv9,Full IPv6 Support Very Large Zones Multiple Database Multi-Processor

34、/ Multi-Threaded Secure / Auditable / Maintainable 8-bit clean,EDNS0 Support EDNS1 not supported DNSSEC Support SSU, not 2137 supported BIND 8 compatibility Thread safety Increased conformance with relevant RFCs.,NCTU/TWNIC DNS Tutorial,57,Some of the important features of BIND 9,DNS Security DNSSEC

35、 (signed zones) TSIG (signed DNS requests) IP version 6 Answers DNS queries on IPv6 sockets IPv6 resource records (A6, DNAME, etc.) Bit string Labels Experimental IPv6 Resolver Library DNS Protocol Enhancements IXFR, DDNS, Notify, EDNS0 Improved standards conformance Views One server process can pro

36、vide multiple views of the DNS namespace, e.g. an inside view to certain clients, and an outside view to others. Multiprocessor Support Improved Portability Architecture,NCTU/TWNIC DNS Tutorial,58,To Build BINDv9,To build, just ./configure make To see additional configure options, run configure -hel

37、p. OpenSSL has been removed from the distribution. This means that to use DNSSEC, OpenSSL must be installed and the -with-openssl option must be supplied to configure. This does not apply to the use of TSIG, which does not require OpenSSL,NCTU/TWNIC DNS Tutorial,59,/etc/rndc.conf (sample),key rndc_k

38、ey algorithm hmac-md5; secret 4b3PAx1d8IlJeIuyLe/T6A=; ; options default-server ; default-key rndc_key; ;,NCTU/TWNIC DNS Tutorial,60,Implict search problem (RFC 1535)- ,non RFC 1535 compliant (before V 4.9.3) .CC.NCTU.EDU.TW. .NCTU.EDU.TW = some local department .EDU.tw .TW RFC 1535 complia

39、nt .CC.NCTU.EDU.TW .NCTU.EDU.TW .EDU.tw .TW more examples .tw vs A very bad example .tw,NCTU/TWNIC DNS Tutorial,61,DNS Resource Records (1)- Common Resource Records,A - Address. A6 - IPv6 address. CNAME -Canonical Name. HINFO -Host Information. MX -Mail Exchanger. NS - Name Se

40、rver. PTR -Pointer. SOA -Start Of Authority. WKS -Well-Known Service. TXT -Text.,AAAA- IPv6 address. (Superseded by A6) KEY -Public key. KX - Key Exchanger. LOC - Location. RP -Responsible Person. SIG -Cryptographic signature. SRV- Server.,NCTU/TWNIC DNS Tutorial,62,DNS Resource Records (2)- Other R

41、esource Records,AFSDB -AFS Data Base location. GPOS - Geographical position. ISDN -ISDN. NSAP - Network service access point address. NXT -Next. PX -Pointer to X.400/RFC822 RT - Route Through. X25 - X25.,NCTU/TWNIC DNS Tutorial,63,SOA 的意義,The meaning of SOA A Typical Example Related Issues Dynamic u

42、pdate Win2K update Default,NCTU/TWNIC DNS Tutorial,64,SOA ( Start Of Authority ) RR,The syntax and meaning of an typical SOA RR (BINDv9) $TTL 259200 ; default Time-To-Live = 3days ;- IN SOA dns.NCTU.edu.tw. hostmaster.NCTU.edu.tw. ( 2002083101 ; Serial number 6H ; Refresh - 6 hours 30M ; Retry 30 mi

43、nutes 1w ; Expire - 7 days 1h ) ; Negative Caching TTL ;- IN NS ns.NCTU.edu.tw. IN NS ns2.NCTU.edu.tw. IN NS ns3.NCTU.edu.tw. Related Issues Dynamic update Win2K update Default,NCTU/TWNIC DNS Tutorial,65,Special cases with mixed DNS concepts,$OriginXYZ.edu.tw. XYZ.edu.tw.INNSns.XYZ.edu.tw. ; domain

44、zone = dig ns.XYZ.edu.tw www.XYZ.edu.tw ;XYZ.edu.tw.INNSXYZ.edu.tw. XYZ.edu.tw.7200 INA3 ; domain name = telnet XYZ.edu.tw XYZ.edu.tw.INMX0 d2.XYZ.edu.tw. ; mail exchange = E-mail: userXYZ.edu.tw,NCTU/TWNIC DNS Tutorial,66,Selection (network) of DNS server,master/slave servers had better

45、be located on different networks ;- $OriginXYZ.edu.tw. INNSns.XYZ.edu.tw. INNSmDNS.XYZ.edu.tw. INNSns2.XYZ.edu.tw. ; ns INA35 mDNS INA3 ; ns2 INA,NCTU/TWNIC DNS Tutorial,67,; There should be the same group of NS RRs on both the domain zone ; files of “XYZ.edu.tw” (

46、upper) multi-homed DNS server csie.XYZ.edu.tw. IN A 71 IN A 71 operator IN A ccsun7 IN A ,Forward Domain Zone Delegation,NCTU/TWNIC DNS Tutorial,68,; There should be the same group of NS RRs on both domain zone ; “168.192..” - - $ORIGIN

47、23.168.192.. / lower zone IN NS cisserv.cis.XYZ.edu.tw. IN NS cissol1.cis.XYZ.edu.tw.,Reverse domain zone delegation,NCTU/TWNIC DNS Tutorial,69,; case 1 - improperly assigned slave server (illegal delegation) ;- $Origin XYZ.edu.tw. err1INNSns-OK.XYZ.edu.tw. INNSNo-named-Host.XYZ.edu.tw.

48、; Lame INNS.tw. ; illegal delegation, ; case 2 , NS- CNAME , intermittent error ;- $Origin 2.168.192.. err2INNSalias-ns.XYZ.edu.tw. ; intermittent error INNSns-OK.XYZ.edu.tw. ; case 3 - NS- A, illegal delegation ;- $Origin XYZ.edu.tw. err3IN NS 3 ; should be fqdn/hos

49、tname,NS RR Negative Examples (1),NCTU/TWNIC DNS Tutorial,70,; case 4, NS RR - non-existent FQDN/hostname (e.g. TYPO, etc.) ;- $O. err4INNSNon-existent.XYZ.edu.tw. INNSns-OK..tw. ; case 5, some NS RR delegated in the upper zone, ; but is not authoritative in the low

50、er zone ;- $Origin XYZ.edu.tw. err5INNSns-OK.XYZ.edu.tw. INNSNo-Good-ns.XYZ.edu.tw. ;= $Originerr5.XYZ.edu.tw. INNSns-OK..tw. INNSns2-OK..tw. ; Its Ok ! (no corresponding NS RR delegation in ; the upper zone = for using inside firewall, ),NS RR Negative Example (2),NCTU/TWNIC DNS Tutor

51、ial,71,; A single IP addr. , but with several different FQDNs. $Origin XYZ.edu.tw. INA ; XYZ.edu.tw. ns1INA; ns1.XYZ.edu.tw. ; ;- ;Multi-homed , one FQDN with many corresponding IP addr. $OriginCS.XYZ.edu.tw. INA71; multi-homed INA23,Address (A RR),NCTU/T

52、WNIC DNS Tutorial,72,; zone file “XYZ.edu.tw” (upper zone) ;- $Origin XYZ.edu.tw. ; CISINNSCisServ.CIS.XYZ.edu.tw. INNSCisSol1.CIS.XYZ.edu.tw. CisServ.CISINA ; glued record CisSol1.CISINA01 ; err-A.CISINA54 ; illegal setting ; zone file “CIS.XYZ.edu.tw” (lower zon

53、e) $OriginCIS.XYZ.edu.tw. CIS-gwINA54; OK,A RR Negative example,NCTU/TWNIC DNS Tutorial,73,$Origin XYZ.edu.tw. INNSXYZ.edu.tw ; INA; =XYZ.edu.tw, OK ; INNSns2.XYZ.edu.tw. INA; =XYZ.edu.tw, invalid ; Semantic problem, XYZ.edu.tw - ; It might induce some m

54、ail routing problem(s). INNSns.XYZ.edu.tw. nsINA35,A RR semantic (error) problem,NCTU/TWNIC DNS Tutorial,74,;- ; for both normal mail exchange Dis-couraged,MX ( Mail eXchange) RR,NCTU/TWNIC DNS Tutorial,75,; zone file 1 $Origin NCTU.edu.tw. ; netnewsINCNAME ccreader.NCTU.edu.tw. ; fqdn

55、; zone file 2 $OriginEDU.tw. ftpINCNAMEnctuccca ; hostname ; ; zone file 3 $OriginTWNIC.net. archieINCNAME.tw,Typical Usage of CNAME RR,NCTU/TWNIC DNS Tutorial,76,$Origin XYZ.edu.tw. ; case 1 - cname looping cname-chainINCNAME cname-chain.XYZ.edu.tw. ; case 2 - ns-cname chaining err-ns INCNAMEns-OK.XYZ.edu.tw. ; FQDN err6 INNSerr-ns.XYZ.edu.tw. ; alias ; case 3 - mx-cname chaining err-mxINCNAMEmx-host.XYZ.edu.tw. err3-cnameINMX10err-mx.XYZ.edu.tw. ; case 4 - cname-cname chaining alias1 INCNAME host1.XYZ.edu.tw.; FQDN alias2 INCNAMEalias